Gmail starts scanning images in emails for malware

Google has announced an interesting change in the way that Gmail handles images in the messages you receive.

Up until now, Gmail has not automatically shown you images contained inside received emails, until you say that you're happy for them to be shown.

This has been something of a pain for internet marketers sending out email newsletters, as it means they need you to approve them as a trusted sender before you'll get to automatically see their beautifully formed HTML in all its glory, complete with its fancy inline images.

And it's been an irritation for some Gmail users too, who were frustrated by having to click to "display images below".

However, the reasoning for Google to have this functionality in Gmail in the first place was a sound one.

When you open an email created using the same HTML markup language used to create webpages, you can be sharing a ton of information with third parties.

That's because the emails could contain inline images loaded from third-party servers.

And each time an image is fetched from the remote third-party server where it is hosted, you are revealing information about yourself - such as your choice of browser, your IP address (which might in turn reveal your location), and so forth.

Furthermore, people and companies can track if you have opened and read the message they have sent you, by checking their server logs to see if a particular image (known as a web beacon) inside the email has been viewed.

Google says that from now on the web version of Gmail will display images inside emails automatically. The same functionality will come to the official Gmail apps for iOS and Android shortly.

Furthermore, to protect against potential security issues, Google says that Gmail will serve all images through its own proxy servers, having checked them for known malware.

Of course, this does mean that Google is *changing* the content of your emails. Changing links which used to grab images from third-party servers and now getting them from their own proxy servers instead.

In short, you should no longer have to worry about spammers, stalkers and internet marketers finding out where you might be in the world by embedding a tiny graphic in their email.

However, Google warns that it may still be possible for senders to know if you have opened an email, if unique image links are used.

In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.

At least publicly, the email service providers used by businesses regularly sending out communications to their customers are putting on a brave face. They may find it harder to collect some data on the success of email campaigns, but at least their emails will now be viewable as intended in all of their graphic glory.

In Gmail’s announcement today, they said image caching allows them to securely turn on images by default. Image caching still lowers our ability to track repeat opens, but turning those images on means we’ll be more accurate when tracking unique opens. At least, theoretically it should work that way.

By leaving images turned off, Gmail has been allowing subscribers to open emails without downloading our tracking pixel, so those opens were invisible to us. If Gmail is going to display images automatically, those previously invisible opens should suddenly become visible.

If you don't like Gmail enabling inline images by default, the good news is that you can disable this new functionality easily enough.

Here is how:

Open Gmail.

Click the gear icon in the top right.

Select Settings.

Scroll down to the Images section (stay in the "General" tab).

Choose Ask before showing.

Click Save Changes at the bottom of the page.

Gmail is, of course, a huge player in the email space - and it will be fascinating to watch what this decision will mean for the future of legitimate email marketing communications, and for the spammers and cybercriminals who attempt to abuse the medium.

Subscribe to the free GCHQ newsletter

Over 75,000 people follow Graham Cluley for news and
advice about computer security and internet privacy.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and gives presentations on the topic of computer security and online privacy.
Follow him on Twitter at @gcluley, Google Plus, Facebook, or drop him an email.

This is a really stupid move. Google has been downgrading their security, from Youtube and the Google Plus linkage, to still having "Night Vision Spy Camera" as the #4 top free android game, even though its fake, puts a green tint over the camera, and has fake install and reviews. And now they are allowing images. Great! Now people can track your IP address just by emailing you. Gmail's assurance of scanning images means absolutely nothing. Is it going to be looking for just malware? Or IP logging images too? SMH. And I wonder if they left an option to disable it overall.

0

| ReplyHide replies ∧

Visitor

Nick

December 13, 2013 7:25 am

Nevermind my last comment. I read the whole article now. But I still think gmail's caching will not provide any security. I believe hackers will find a way around this.

0

| ReplyHide replies ∧

Visitor

Stu

December 13, 2013 9:30 pm

You blurred out the name and email address in the first
picture but left it unedited in the animated gif. Oops!